Okta Specific Configuration

To properly access MDSS, the following Okta Groups are required:

  • SsoAdministrator - the equivalent of local MetaDefender Storage Security administrator role
  • SsoReadOnlyAdministrator - the equivalent of local MetaDefender Storage Security read-only role

To set up Okta SSO for MDSS, follow these steps:

  1. Under the Security tab, go to the API section, locate your Authorization Server and click on the pencil icon to edit

The Issuer URI from the Authorization Server should be inputted as the Authority URL of the MDSS SSO Configuration.

  1. Within the Scopes tab, add a new scope. Name it "groups", select Implicit for the User Consent, and check the Include in public metadata checkbox
  1. Within the Claims tab, add a new claim. Name it "groups", select Id Token and Always from the Include in token type dropdowns, select Groups as the Value Type, input ".*" next to Matches regex to get all groups, and include it in the previously created "groups" scope
  1. Navigate to the Applications tab and select the Applications section. Afterwards, click "Create App Integration"
  1. For the Sign-in method, select OIDC - OpenID Connect, and for the Application Type, select Web Application
  1. Give your app integration a name, for the Grant Type, tick the checkboxes. Under the Sign-in redirect URIs, write the the base URL of the MDSS deployment, followed by the "/callback" suffix. For the Controlled access, select Allow everyone in your organization to access.
  1. Save the Client ID, select Client Secret for the Client authentication, generate a new secret and save it.
  1. Within your Application, navigate to the Sign On tab, and scroll down to OpenID Connect ID Token. There, click the edit button and, for the Groups Claim Type, select Filter, and for the Groups Claim Filter, select groups. Select Matches regex from the dropdown and input ".*"
  1. Under the Security tab, go to the API section, locate Access Policies and add a new one.
  1. Add policy and assign to All clients or your desired clients.
  1. Create a rule, and make sure that on Advanced label you have checked Implicit(hybrid).
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard